From 8ad8ca02433c707ce387fcbfd9b0038e3108eff6 Mon Sep 17 00:00:00 2001
From: Wikum Chamith <wikum@linuxdeveloper.space>
Date: Sat, 30 Mar 2024 17:09:59 +0530
Subject: [PATCH] TRUNK-6203: Global properties access should be privileged

---
 .../page/controller/LoginPageController.java                | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/omod/src/main/java/org/openmrs/module/referenceapplication/page/controller/LoginPageController.java b/omod/src/main/java/org/openmrs/module/referenceapplication/page/controller/LoginPageController.java
index f5ae2a49..64ff02f0 100644
--- a/omod/src/main/java/org/openmrs/module/referenceapplication/page/controller/LoginPageController.java
+++ b/omod/src/main/java/org/openmrs/module/referenceapplication/page/controller/LoginPageController.java
@@ -33,6 +33,7 @@
 import org.openmrs.ui.framework.annotation.SpringBean;
 import org.openmrs.ui.framework.page.PageModel;
 import org.openmrs.ui.framework.page.PageRequest;
+import org.openmrs.util.PrivilegeConstants;
 import org.openmrs.web.user.CurrentUsers;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.CookieValue;
@@ -150,9 +151,10 @@ public String get(PageModel model, UiUtils ui, PageRequest pageRequest,
 	}
 	
 	private boolean isLocationUserPropertyAvailable(AdministrationService administrationService) {
+		Context.addProxyPrivilege(PrivilegeConstants.GET_GLOBAL_PROPERTIES);
 		String locationUserPropertyName = administrationService
 		        .getGlobalProperty(ReferenceApplicationConstants.LOCATION_USER_PROPERTY_NAME);
-		
+		Context.removeProxyPrivilege(PrivilegeConstants.GET_GLOBAL_PROPERTIES);
 		return StringUtils.isNotBlank(locationUserPropertyName);
 	}
 	
@@ -376,8 +378,10 @@ private boolean isSameUser(PageRequest pageRequest, String username) {
 	}
 	
 	private List<Location> getUserLocations(AdministrationService adminService, LocationService locationService) {
+		Context.addProxyPrivilege(PrivilegeConstants.GET_GLOBAL_PROPERTIES);
 		String locationUserPropertyName = adminService
 		        .getGlobalProperty(ReferenceApplicationConstants.LOCATION_USER_PROPERTY_NAME);
+		Context.removeProxyPrivilege(PrivilegeConstants.GET_GLOBAL_PROPERTIES);
 		List<Location> locations = new ArrayList();
 		String locationUuids = Context.getAuthenticatedUser().getUserProperty(locationUserPropertyName);
 		if (StringUtils.isNotBlank(locationUuids)) {